只留清白在人间
可以用R-Studio
进行提取
解压出来发现有很多的文件夹,一开始以为是ntfs流隐写,但是没有数据
但是查看修改时间并按照先后顺序发现文件名是一个压缩包,(用winrar进行解压)
写脚本进行提取
import osimport binasciideflistfindname(directory): folders = [os.path.join(directory, f) for f in os.listdir(directory) if os.path.isdir(os.path.join(directory, f))] folders.sort(key=os.path.getmtime) zipp = "".join(os.path.basename(folder)[0] for folder in folders) zip_data = binascii.unhexlify(zipp)with open('flag.zip', 'wb') as f: f.write(zip_data)directory = "The flag is here"listfindname(directory)
IceWater
以前见过这样的题,冰蝎4套冰蝎3,思路还是很好解的,主要就是数据太多了,比较恶心
冰蝎4部分
得到XOR的密钥,然后就可以去解冰蝎4的流量
这里进行了ls的操作,发现里面有两个shell
这里得到she1l.php
也就是冰蝎3的脚本,后续就是批量去解冰蝎3,脚本如下:
import base64from Crypto.Cipher import AESdefaes_decode(data, key):try: aes = AES.new(str.encode(key), AES.MODE_CBC, iv=b'x00' * 16) # 假设 IV 是 16 字节 0 decrypted_text = aes.decrypt(data) decrypted_text = decrypted_text[:-(decrypted_text[-1])] # 去除填充return decrypted_textexcept Exception as e: print(f"解密错误: {e}")returnNonedefdecrypt_file_line_by_line(input_file, output_file, key):with open(input_file, "r", encoding="utf-8") as f_in, open(output_file, "w", encoding="utf-8") as f_out:for line in f_in: line = line.strip()ifnot line:continue encrypted_data = base64.b64decode(line) decrypted_data = aes_decode(encrypted_data, key)if decrypted_data: f_out.write(decrypted_data.decode("utf-8") + "n")if __name__ == '__main__': key = '5b4582c9d56b5b33' input_file = "encrypted_data.txt" output_file = "decrypted_output.txt" decrypt_file_line_by_line(input_file, output_file, key)
然后手动去除再进行base64解码
import base64defdecode_base64_file(input_file, output_file):with open(input_file, "r", encoding="utf-8") as f_in, open(output_file, "w", encoding="utf-8") as f_out:for line in f_in: line = line.strip()ifnot line:continue# 跳过空行 decoded_bytes = base64.b64decode(line) # Base64 解码 decoded_text = decoded_bytes.decode("utf-8", errors="ignore") f_out.write(decoded_text + "n")if __name__ == '__main__': input_file = "decrypted_output.txt" output_file = "decoded_output1.txt" decode_base64_file(input_file, output_file)
然后拼接得到一个完整的png图片最后在用盲水印就可以得到flag
Steganography_challenges0.3
这题更是神人题,首先文件为有一个图片提取出来,然后lsb还有数据,脚本说了弱密码,试了一下password,就解出来了
根据题目的脚本进行解码,
from PIL import Imageimport numpy as npimport libnumdefrc4_decrypt(data, key):try:from Crypto.Cipher import ARC4 cipher = ARC4.new(key.encode('utf-8'))return cipher.decrypt(data)except Exception as e: print(f"[!] 解密失败: {e}")returnNonedefmain(): key = "password" img = Image.open("Steganography_challenges0.3.png") w, h = img.size img_arr = np.array(img) decrypted_pixels = np.zeros_like(img_arr, dtype=np.uint8) # 确保数据类型正确for y in range(h):for x in range(w): r, g, b = img_arr[y, x] rgb_bytes = bytes([r, g, b]) dec_rgb = rc4_decrypt(rgb_bytes, key)ifnot dec_rgb or len(dec_rgb) < 3:continue decrypted_pixels[y, x] = [dec_rgb[0], dec_rgb[1], dec_rgb[2]] img1 = Image.fromarray(decrypted_pixels) img1.save("decrypted_image.png")if __name__ == "__main__": main()
然后根据wmctf的脚本可以直接解
from PIL import Imageimport numpy as npfrom Crypto.Util.number import *import matplotlib.pyplot as pltimport pywtimport cv2p = Image.open('flag.png').convert('RGB')p_data = np.array(p)R = p_data[:,:,0]G = p_data[:,:,1].astype(np.float32)B = p_data[:,:,2].astype(np.float32)defstring_to_bits(s):return bin(bytes_to_long(s.encode('utf-8')))[2:].zfill(8 * ((len(s) * 8 + 7) // 8))defbits_to_string(b): n = int(b, 2)return long_to_bytes(n).decode('utf-8', 'ignore')data = R.reshape(-1)%2print(long_to_bytes(int(''.join([str(i) for i in data]),2)).replace(b'x00',b''))defextract_qim(block, delta): block_flat = block.flatten() avg = np.mean(block_flat) mod_value = avg % deltaif mod_value < delta / 4or mod_value > 3 * delta / 4:return'0'else:return'1'defextract_watermark1(G_watermarked, watermark_length, delta=64): watermark_bits = [] block_size = 8 k = 0for i in range(0, G_watermarked.shape[0], block_size):for j in range(0, G_watermarked.shape[1], block_size):if k < watermark_length * 8: block = G_watermarked[i:i+block_size, j:j+block_size]if block.shape != (block_size, block_size):continue coeffs = pywt.dwt2(block, 'haar') LL, (LH, HL, HH) = coeffs bit = extract_qim(LL, delta) watermark_bits.append(bit) k += 1# 将比特序列转换为字符串 watermark_str = bits_to_string(''.join(watermark_bits))return watermark_strprint(extract_watermark1(G,253,8))defdct2(block):return cv2.dct(block.astype(np.float32))defidct2(block):return cv2.idct(block.astype(np.float32))defsvd2(matrix): U, S, V = np.linalg.svd(matrix, full_matrices=True)return U, S, Vdefinverse_svd2(U, S, V):return np.dot(U, np.dot(np.diag(S), V))defextract_watermark2(B_watermarked, B, watermark_length): h, w = B_watermarked.shape watermark_bits_extracted = [] bit_index = 0for i in range(0, h, 8):for j in range(0, w, 8):if bit_index >= watermark_length * 8:break block_wm = B_watermarked[i:i+8, j:j+8] block_orig = B[i:i+8, j:j+8] dct_block_wm = dct2(block_wm) dct_block_orig = dct2(block_orig) U_wm, S_wm, V_wm = svd2(dct_block_wm) U_orig, S_orig, V_orig = svd2(dct_block_orig) delta_S = S_wm[0] - S_orig[0]if delta_S == 0: watermark_bits_extracted.append('1')else: watermark_bits_extracted.append('0') bit_index += 1 watermark_bits_extracted = ''.join(watermark_bits_extracted)return bits_to_string(watermark_bits_extracted)B_ori = np.array(Image.open('B.png').convert('L'))print(extract_watermark2(B, B_ori, 83))
用文件尾的图片然后加上原题进行解码
这里注意提取的图片有一个IDAT块是异常的,需要再次提取出来,并且去除IDAT的长度
Hey boy, I'm here to help you, now you'ze one step away from successl let me |ell you key:79557c2d8f94;
最后用VC挂载,密码就是QIM解出的密码,容器就是异常的IDAT块
并非乱ping
首先直接用AI写解码脚本可以得到压缩包密码
import wavedefextract_message(stego_wav):with wave.open(stego_wav, 'rb') as wav: frames = wav.readframes(wav.getnframes()) binary_message = ''for byte in frames: binary_message += str((byte >> 1) & 1) message_bytes = []for i in range(0, len(binary_message), 8): byte = binary_message[i:i+8]if byte == '00000000': # 终止符break message_bytes.append(int(byte, 2)) message = ''.join(chr(byte) for byte in message_bytes)return messageif __name__ == "__main__": stego_file = "恋人を射ち堕とした日.wav" hidden_message = extract_message(stego_file) print("Hidden Message:", hidden_message)
得到解压密码为
oSthinggg
然后压缩包里面是一个反转的流量包,逆序一下就可以了
根据题目说的是ping,然后查看icmp
发现是127,63,191,225,提取出来然后去二进制的前两位,就是flag
原文始发于微信公众号(天命团队):2025西湖论剑决赛misc全解
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论